Update2: New 0-day in Microsoft Internet Explorer 8

Microsoft published Fix-it 50992 which their Appcompat shim technology to neutralize the vulnerability. The Fix-it can be accessed at KB2847140

Update:

A Metasploit module has been made available for the 0-day vulnerability, which will makes it easier to convince IT managment of the robustness and applicability of the exploit.

Original:

Yesterday Microsoft published security advisory KB2847140 about an exploit for 0-day vulnerability (CVE-2013-1347) in Internet Explorer 8. The exploit is in active use in the wild, for example on the compromised website at the US Department of Labor earlier this week, Initially it was widely reported that the website was exploiting a known vulnerability in Internet Explorer to then install the remote access tool Poison Ivy.

However yesterday Fireeye and Invincea showed in two blogposts that even a fully patched Internet Explorer falls prey to the attack, making the attack a legitimate 0-day.

Microsoft’s recommends installing EMET to mitigate the vulnerability or to disabling active scripting. Alternatively one can upgrade to Internet Explorer 9 which is not affected by the vulnerability.

We will update this blog post as soon as we get more information on the vulnerability and possible mitigation steps. Microsoft Patch Tuesday is only 10 days away and we know that new Internet Explorer versins are coming, as they address the vulnerabilities disclosed during the recent PWN2OWN competation in Vancouver at CanSecWest. It will be challenging to get a fix integrated into these new Internet Explorer versions in time for Patch Tuesday.